I'm getting mail-exchange adminaudit logs. The steps I performed are
step 1
Set-AdminAuditLogConfig –AdminAuditLogCmdlets *
step 2
Set-AdminAuditLogConfig –AdminAuditLogParameters *
step 3
Set-AdminAuditLogConfig –AdminAuditLogEnabled $true
step 4
Search-AdminAuditLog -StartDate 01/22/2014 -EndDate 04/23/2014 –ResultSize Unlimited | Export-Csv “c:\test-Admin-Audit-Results.csv”
On output I'm very confused because I'm getting in caller userid other then admins but normal users as well. For e.g
caller column for one rows is mydomain/Users/nadmin
The other row would be caller mydomain/Users/john
The cmdlets names would be non-admin entries be e.g
- Enable-Mailbox
- Set-MailboxMessageConfiguration
Point of confusion is I thought extracting mail-admin audit logs will ONLY produce events/action for user nadmin why does it bring non-admin user activities? Is it because of how I supplied the configuration parameters?
Secondly,Is it not possible to define what needs to get audited using
Set-AdminAuditLogConfig
but only for a separate audit role the reason Is If i change the settings it will only limit audit logging to certain cmdlets , I want a role for eg.security auditor who is auditing for x number of cmdlets for y user and other other cmdlets (non-audit important ones) can be kept in original role of ms-exchange admin without any interruption. Can such a thing be achieved?
To workaround currently, Im extracting using search command to bring me logs for userid admin. Please suggest.
Thanks.